Should you be worried about the cloud?

2014 did a lot to raise public awareness of cloud technologies, but not always
for the right reasons. Sophie Curtis talks to Jason Zander, corporate
vice president of Microsoft Azure, about security in the cloud

From the iCloud breach that saw nude images of Jennifer Lawrence and other celebrities leaked online to 'The Snappening', that resulted on thousands of private Snapchat images being released by hackers, 2014 did a lot to raise public awareness of cloud technologies.

These high-profile breaches inevitably gave rise to increased anxiety and trust issues around the robustness of cloud-based services. But how much should you worry about using the cloud, and is it really any less secure than storing all your data locally on your PC or phone?

'The cloud' is a nebulous term that describes the vast mass of internet-connected computers, on which people or companies can rent processing power and data storage. It is used for everything from hosting websites to storing archives to running massive data-crunching operations.

There are three main 'public cloud' providers – Amazon, Google and Microsoft – and between them, these companies support a wide array of online services and businesses, from Netflix and Foursquare (Amazon) to Coca Cola and Ocado (Google) to Heineken and GE Healthcare (Microsoft).

Using a cloud service generally means that whatever data you choose to share will be processed and stored on computers owned by one of these companies, and they will be responsible for keeping that data safe and secure from hackers or other parties wanting to get their hands on your information.

However, the main problem with the cloud from a security perspective is that these massive banks of computers containing reams of data act as honeypots for hackers, because the reward for getting inside is far greater than breaking into a single computer. Cloud providers therefore have to ensure that their protections are extremely strong.

Generally, the level of security applied to information varies depending on the sensitivity of the data, so government documents and valuable intellectual property will be protected by additional layers of security compared with everyday consumer documents and photos, for example.

In some cases, cloud providers may have to prove that they are compliant with various security standards and protocols, in order for companies or public sector bodies to agree to use their services.

Microsoft, for example, recently became the first major cloud provider to adopt the world’s first international standard for cloud privacy (ISO 27018), which provides enterprise customers with multiple assurances that their privacy will be protected.

One of the arguments in favour of the cloud is that these security protections are much stronger than anything the average consumer would be able to use to protect their own data.

"When I think of the data centres that we’re running, it starts of with just physical security – making sure the buildings are secure, the alarms and the guards and all the rest of that," said Jason Zander, corporate vide president of Microsoft's cloud platform, known as Azure.

"I don’t have my phone under armed guard, I’m not constantly running software to scan it and look through it, and I don’t have full-time security teams making sure my phone is locked down."

Mr Zander also pointed out that cloud providers like Microsoft run both consumer and enterprise applications in the same data centres, so in some sense at least, consumers are receiving the same basic level of protection as enterprises.

"We are running the same core software, we have the same set of security teams and protocols. So from that perspective, we’re bringing all those exact same controls in," he said.

"Azure has additional certifications that are established by governments or by industry sectors, so there is an above-and-beyond level of certification that we do go after in the enterprise space, but all the core stuff is basically going to be the same."

So given the robust protections in place, why do cloud data breaches happen? Mr Zander said that the complex nature of cloud infrastructure means that the cloud is only as secure as its weakest link.

In other words, anyone who downloads a malicious application onto their computer or smartphone could potentially introduce a vulnerability to the cloud next time they log in using that device.

"In some of the cases, like the iCloud hack, it had nothing to do with the cloud actually. If you can unlock the phone, you have access. So they weren’t actually cloud hacks, they were device hacks," he said.

"It’s going to take cooperation between the devices, the cloud vendors, the software writers, the people that write the apps that go on those. Everyone has to do their part in creating a secure environment."

While using cloud services means that you are essentially relying on a third party to protect your information on your behalf, the cloud is so much a part of the online ecosystem that it is difficult to avoid. Facebook, Dropbox, Netflix, Spotify – almost any web-based service you can think of uses the cloud in some way.

As the so-called 'Internet of Things' becomes more ubiquitous, the majority of smart home and smart city applications will also rely on the cloud for processing and analysing data.

It is perhaps unrealistic, therefore, that anyone who hopes to engage in the digital world will be able to avoid using the cloud. However, consumers owe it to themselves to find out what protections the cloud services they use have in place, and make informed decisions about what data they are willing to share.